The Samba-Bugzilla – Attachment 16814 Details for
Bug 14836
Python ldb.msg_diff() memory handling failure
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from master backported to 4.14
ldb-msg.diff-4.14.patch (text/plain), 5.70 KB, created by
Andrew Bartlett
on 2021-09-24 03:06:08 UTC
(
hide
)
Description:
patch from master backported to 4.14
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-09-24 03:06:08 UTC
Size:
5.70 KB
patch
obsolete
>From 02bb99efeffaf8fd1d5dab61431e131d85d044be Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 13 Sep 2021 11:34:56 +1200 >Subject: [PATCH 1/3] pytest:segfault: Add test for ldb.msg_diff() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> > >[abartlet@samba.org backported form from commit >a99a76722d6046a5d63032e3d2bb3f791da948a6 due to conflicts >with other new segfault tests] >--- > python/samba/tests/segfault.py | 11 +++++++++++ > selftest/knownfail.d/python-segfaults | 1 + > 2 files changed, 12 insertions(+) > >diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py >index 07e2d46d56a..eac314982a8 100644 >--- a/python/samba/tests/segfault.py >+++ b/python/samba/tests/segfault.py >@@ -174,3 +174,14 @@ class SegfaultTests(samba.tests.TestCase): > def test_dcerpc_idl_inline_arrays(self): > """Inline arrays were incorrectly handled.""" > dnsserver.DNS_RPC_SERVER_INFO_DOTNET().pExtensions >+ >+ @segfault_detector >+ def test_ldb_msg_diff(self): >+ samdb = self.get_samdb() >+ >+ msg = ldb.Message() >+ msg.dn = ldb.Dn(samdb, '') >+ diff = samdb.msg_diff(msg, msg) >+ >+ del msg >+ diff.dn >diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults >index 1be0566dcb1..b7229fc7229 100644 >--- a/selftest/knownfail.d/python-segfaults >+++ b/selftest/knownfail.d/python-segfaults >@@ -1 +1,2 @@ > samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3 >+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_ldb_msg_diff >-- >2.25.1 > > >From 2301041faa52ee8180f9f3396007c402c35c10c7 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 14 Sep 2021 11:08:41 +1200 >Subject: [PATCH 2/3] ldb_msg: Don't fail in ldb_msg_copy() if source DN is > NULL > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >(cherry picked from commit c2bbe774ce03661666a1f48922a9ab681ef4f64b) >--- > lib/ldb/common/ldb_msg.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > >diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c >index 2346e66ec39..7131f013f71 100644 >--- a/lib/ldb/common/ldb_msg.c >+++ b/lib/ldb/common/ldb_msg.c >@@ -876,8 +876,10 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, > msg2 = ldb_msg_copy_shallow(mem_ctx, msg); > if (msg2 == NULL) return NULL; > >- msg2->dn = ldb_dn_copy(msg2, msg2->dn); >- if (msg2->dn == NULL) goto failed; >+ if (msg2->dn != NULL) { >+ msg2->dn = ldb_dn_copy(msg2, msg2->dn); >+ if (msg2->dn == NULL) goto failed; >+ } > > for (i=0;i<msg2->num_elements;i++) { > struct ldb_message_element *el = &msg2->elements[i]; >-- >2.25.1 > > >From 7fc1df0acf47460d85dc21506c3bd797d344ad99 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 13 Sep 2021 11:15:17 +1200 >Subject: [PATCH 3/3] pyldb: Avoid use-after-free in msg_diff() > >Make a deep copy of the message elements in msg_diff() so that if either >of the input messages are deallocated early, the result does not refer >to non-existing elements. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> > >[abartlet@samba.org backported from commit > 19a2af02f57d99db8ed3c6b028c3abdf4b553700 due to conflicts in > the knownfail.d/python-segfaults file] >--- > lib/ldb/pyldb.c | 18 ++++++++++++++++-- > selftest/knownfail.d/python-segfaults | 1 - > 2 files changed, 16 insertions(+), 3 deletions(-) > >diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c >index 813cdb0870e..443b677c2c4 100644 >--- a/lib/ldb/pyldb.c >+++ b/lib/ldb/pyldb.c >@@ -1804,6 +1804,7 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args) > struct ldb_message *diff; > struct ldb_context *ldb; > PyObject *py_ret; >+ TALLOC_CTX *mem_ctx = NULL; > > if (!PyArg_ParseTuple(args, "OO", &py_msg_old, &py_msg_new)) > return NULL; >@@ -1818,19 +1819,32 @@ static PyObject *py_ldb_msg_diff(PyLdbObject *self, PyObject *args) > return NULL; > } > >+ mem_ctx = talloc_new(NULL); >+ if (mem_ctx == NULL) { >+ PyErr_NoMemory(); >+ return NULL; >+ } >+ > ldb = pyldb_Ldb_AS_LDBCONTEXT(self); >- ldb_ret = ldb_msg_difference(ldb, ldb, >+ ldb_ret = ldb_msg_difference(ldb, mem_ctx, > pyldb_Message_AsMessage(py_msg_old), > pyldb_Message_AsMessage(py_msg_new), > &diff); > if (ldb_ret != LDB_SUCCESS) { >+ talloc_free(mem_ctx); > PyErr_SetString(PyExc_RuntimeError, "Failed to generate the Ldb Message diff"); > return NULL; > } > >+ diff = ldb_msg_copy(mem_ctx, diff); >+ if (diff == NULL) { >+ PyErr_NoMemory(); >+ return NULL; >+ } >+ > py_ret = PyLdbMessage_FromMessage(diff); > >- talloc_unlink(ldb, diff); >+ talloc_free(mem_ctx); > > return py_ret; > } >diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults >index b7229fc7229..1be0566dcb1 100644 >--- a/selftest/knownfail.d/python-segfaults >+++ b/selftest/knownfail.d/python-segfaults >@@ -1,2 +1 @@ > samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3 >-samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_ldb_msg_diff >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16814">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
dbagnall
:
review+
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 14836
:
16813
| 16814